Why the CSO/CISO Should Care About eDiscovery Part -5-

The path to enhanced CISO understanding of the importance (to the enterprise) of rock solid digital evidence generation must first traverse the twists and turns fo the electronic discovery process. The pathway through eDiscovery may best be described though what is called the Extended Electronic Discovery Reference Model (EEDRM). The model is extended because it is built upon an older, and more simplified version called, not surprisingly, the "Electronic Discovery Reference Model." (Fore more information, see Electronic Discovery Reference Model, htt://www.edrm.net/ ) ESI whose destruction is suspended by operation of a litigation hold must also be preserved. Where the EEDRM differs from the basic EDRM is in its encompassing the entire continuum represented by the information life cycle. It is extended from the presecptive of addressing data instantiation and electronic records management stages occuring way upstream of the discovery process (which generally address evidence presentation, pre-trial motions and the trial stages downstream of evidence production stage).

Stage 1 of the EEDRM is focused on a simplified representation phases of of the electronic record management cycle.

"Generation" refers to the creation of content and associated contextual information such as metadata. The event of storing typically memorializes the ESI as its first instantiation.

"Use" refers to the access, modification and transfer of the ESI resulting in the creation of identical copies and the subsequent independent modifications of these copies into distinct versions of the ESI.

"Retention" by archiving it in various forms of storage with real or near real time access or offline. Finally, the ESI is (typically)

"Disposition" of ESI is accomplished in accordance and, hopefully, in conformance, with applicable cycles set forth in document retention policies. A key question is always: what is to be disposed of? Is it a first ESI instantiation, identical ESI copies, or various ESI versions?

Stage 2 of the EEDRM focuses on the established and well defined legal discovery process.

Identification: Corporate information is generally spread over the extended enterprise including stored on mobile end point devices (laptops and PDAs) and under the custody and control of third parties. Identification is the process of ascertaining the location of potentially relevant ESI. An organization with a retention policy may generally and legally dispose of ESI according to what is commonly known as a "Document Retention Policy". Upon notice of the commencement of litigation, or if there exists a reasonable anticipation of litigation, routine disposition of potentially relevant ESI must be immediately suspended, known as a "litigation hold." This cannot be effectively performed if the location of potentially relevant ESI cannot be determined. Accordingly, it is necessary (and increasingly required by parties in a lawsuit) to provide a "Data Map," a representation of possible locations of both structured and unstructured ESI. The creation of a Data Map is essential to determine where searches may have to be conducted and where information with a duty to preserve may reside and have to be collected.

Collection & Preservation: This is the process whereby ESI that may have potential relevance based on discovery request parameters is captured from the various locations identified by the Data Map. This information must be captured in a way that preserves the information, that is the process of collection does not cause material changes and that maintains content and context integrity (i.e., metadata and embedded data). Moreover, this process must be carried out in a manner that preserves the ESI in its native and original format. Information about ESI provenance (origin), chain-of-custody and authenticity may also be requested and need to be documented.

Analysis: This is a critical phase of the discovery process as it serves to distill the volume of ESI collected into what is required to be produced to opposing counsel. The first step in the analysis process is to eliminate duplicates, an activity known as "de-duping". Analysis also serves to identify ESI that is permitted to be withheld (i.e., not produced) because it is either privileged or permitted special protection by operation of some other legal or regulatory requirement, or by court order. A second step of the ESI analysis phase is known as "redaction." Redaction is the process by which sensitive or privileged non-relevant subsets of content are "blanked out." The analysis phase is perhaps the most critical as it relates to developing knowledge of the case and characteristics essential to the development of a litigation strategy.

Production: The organization has a duty to respond to an ESI production request by making available relevant information to opposing counsel. Under the 2006 amendments to the Federal Rules of Civil Procedure (FRCP), the parties to a lawsuit are required to meet soon after a complaint is filed and answered for what is known as a "Rule 26 Meet and Confer" (M&C) conference. In this meeting the parties propose, define, and are expected to come to an agreement (where possible) as to ESI discovery parameters, including such factors as ESI relevance, search scope, accessibility, format, reasonableness and cost implications for the producing party. After the M&C, the parties will agree on a proposed report (that may contain agreement or disagreement on any particular discovery issue) and then typically meet in a hearing before the court (called a Rule 16b Initial Scheduling Conference). If there is disagreement between the parties as to the nature, extent, scope, or reasonableness of the electronic discovery, the Court will hear the arguments in favor or against any particular issue, perhaps even taking the testimony of technology experts retained by either, or both parties, and then render an order as to the ESI discovery conduct parameters. Accordingly, it is important to keep in mind that an understanding of the distribution of your (and your opponent's) corporate information before the M&C will assist greatly in responding effectively and in favor of your own requests, as well as in challenging an unreasonable requests by your opponent. That said, it should also be kept in mind that not all ESI must be produced, and that it may be the case that only a small percentage of the ESI collected will be delivered to opposing counsel. ESI may also have to be produced in its native form, including associated metadata. It is also critical to understand a party generally gets only one attempt to define the request. This requires that a party set out the details of, and substantiation for, the ESI requests early, clearly, and unambiguously. The CISO can play an important role in increasing both the efficacy as well as the efficiency of this process.

Stage 3 of the EEDRM process focuses on the presentation of relevant ESI in pre-trial motions, its determination of ESI admissibility and any subsequent expert testimony activities during the trial process. Stage 3 of the EEDRM is perhaps the most critical because without having admissible as (and admitted into) evidence, one can neither support one's own factual assertions, nor challenge another's factual assertions. Pre-trial evidentiary admissibility processes therefore necessarily involve the presentation of ESI (or a challenge thereto) to a court, where admissibility as evidence will be determined. It is well worth keeping in mind Judge Grimm's caution in the Lorraine v Markel American decision:

"... considering the significant costs associated with discovery ... it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence ...because the proponent cannot lay a sufficient foundation to get it admitted."

A core objective at this stage sounds simple, but it is not. A party must obtain the ESI that has been offered as evidence,admitted as evidence. In achieving this goal, expert testimony may be necessary in order to establish the rational for the reliability of the information systems and applications involved in the chain of custody and the authenticity of the ESI itself.